Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
i
Ian
05/17/2023, 10:31 AMHello. Looking for advice on how to fix this osquery segment for checking Windows patch levels. My column called is_compliant is not working as expected. Should be showing as yes for the highlighted areas. Thanks in advance for help where I've tripped on the logic here.
Note: I'm not using os_version build numbers because they are not reliable.
SELECT
CAST(os_version.build AS integer) AS build,
CAST(SPLIT(kernel_info.version, '.', 3) AS integer) AS patch,
CASE
WHEN build >= 19045 AND patch >= 2965 THEN 'Yes'
WHEN build >= 22621 AND patch >= 1702 THEN 'Yes'
ELSE 'No'
END AS is_compliant
FROM kernel_info, os_version;v
V
05/17/2023, 1:06 PMThis statement works as expected
SELECT
CAST(os_version.build AS integer) AS build,
CAST(SPLIT(kernel_info.version, '.', 3) AS integer) AS patch,
CASE
WHEN build >= 19045 AND CAST(SPLIT(kernel_info.version, '.', 3) AS integer) >= 2965 THEN 'Yes'
WHEN build >= 22621 AND CAST(SPLIT(kernel_info.version, '.', 3) AS integer) >= 1702 THEN 'Yes'
ELSE 'No'
END AS is_compliant
FROM kernel_info, os_version;s
seph
05/17/2023, 1:07 PMNote: I’m not using os_version build numbers because they are not reliable.Hrm. Can you say more?
One thing I wonder, is whether or not having the
CASEv
V
05/17/2023, 1:11 PMSomehow in this situation, column
buildCASEE.g.
Just using the build column in the below statement provides the correct output.
SELECT
CAST(os_version.build AS integer) AS build,
CAST(SPLIT(kernel_info.version, '.', 3) AS integer) AS patch,
CASE
WHEN build >= 19045 THEN 'Yes'
WHEN build >= 22621 THEN 'Yes'
ELSE 'No'
END AS is_compliant
FROM kernel_info, os_version;SELECT
CAST(os_version.build AS integer) AS build,
CAST(SPLIT(kernel_info.version, '.', 3) AS integer) AS patch,
CASE
WHEN patch >= 2965 THEN 'Yes'
ELSE 'No'
END AS is_compliant
FROM kernel_info, os_version;s
seph
05/17/2023, 1:20 PMThere’s some chance
buildi
Ian
05/17/2023, 1:59 PM@seph So the context is that os_version.build are returning different build numbers so I decided to matchmake the two sources. In my fleet I get kernel_info.version showing 19041 whereas os_version.build shows 19045. Not exactly sure what is going on. A colleague hypothesised that the kernel_info.version build is produced from the original build distributed with the PC whereas os_version.build is the actual current running build of windows upgraded from the original distro.
os_version does not give me the patch levels detail I want but kernel_info.version does 🤷
v
V
05/17/2023, 2:08 PMkernel_info.versionC:\Windows\System32\ntoskrnl.exeos_version.builds
seph
05/17/2023, 2:09 PMThank you Vivek, I was just going to look that up!
I’m not sure what to do with the info, windows might just do that. Does the discrepancy persist across reboots?
i
Ian
05/17/2023, 2:12 PMYes it persists. I'm using wikipedia nicely formatted table as the source of the patch levels to update my query/policy, it provides the full version including patch in the public patch release table. _os_version_ falls short.